CVE coverage

Debian 11 CVE tracker

Noxen pulls Debian 11 (Bullseye) CVE data from OSV.dev's Debian ecosystem feed, which mirrors the Debian Security Tracker. Bullseye is in the Debian LTS phase (maintained by Freexian) through August 2026, so security backports still land — Noxen surfaces them with exact fix versions and matches against the installed source package.

Live

Headline numbers

  • Total CVE records (all distros)Loading…
  • Last buildLoading…
  • OSV records (Debian + others)Loading…
  • NVD records (cross-platform)Loading…

How matching works

What Noxen does for a Debian 11 host

  1. Reads /etc/os-release over SSH to confirm the host is on Debian 11.
  2. Reads the dpkg package list — every binary package, plus its corresponding source package via dpkg-query --showformat='${Source}'.
  3. Filters the local feed cache to OSV records tagged with ecosystem Debian:11.
  4. For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
  5. Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.

Live listings

Top recent critical CVEs (Debian 11 / Debian ecosystem)

Most-recently-published critical CVEs in the Debian 11 / Debian ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at ; live re-fetch on page load.

CVESev.CVSSSummaryPackageFix inPublished
DEBIAN-CVE-2026-11526critical9.8GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename thatlibgd-perl
DEBIAN-CVE-2026-47691critical10.0Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cachenetty
DEBIAN-CVE-2026-45674critical10.0Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responsesnetty
DEBIAN-CVE-2026-12027critical9.6Inappropriate implementation in Headless in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severitchromium
DEBIAN-CVE-2026-49261critical10.0MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commandsmariadb
DEBIAN-CVE-2026-9648critical9.1The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attahaskell-crypton-x509-validation
DEBIAN-CVE-2026-34182critical9.1Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attaopenssl3.0.20-1~deb12u2
DEBIAN-CVE-2026-46325critical9.8In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE The current implementation incorrectly handles memory regions (MRs) with page sizes different from the linux

Top recent high-severity CVEs (Debian 11 / Debian ecosystem)

CVESev.CVSSSummaryPackageFix inPublished
DEBIAN-CVE-2026-47261high7.5Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the rust-wasmtime
DEBIAN-CVE-2026-53705high7.6A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame()gst-plugins-good1.0
DEBIAN-CVE-2026-53704high7.1A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using regst-plugins-ugly1.0
DEBIAN-CVE-2026-53703high7.1A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5,gst-plugins-ugly1.0
DEBIAN-CVE-2026-52722high7.1A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reagst-plugins-bad1.0
DEBIAN-CVE-2026-52720high8.8A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extendsgst-plugins-bad1.0
DEBIAN-CVE-2026-52719high7.1An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trickgst-plugins-bad1.0
DEBIAN-CVE-2026-11527high8.6Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg olibconfig-inifiles-perl

New to severity terminology? CVE, CVSS, CWE, CPE explained.

Notable

Recent CVEs Debian 11 operators should know.

FAQ

Frequently asked about Debian 11 CVEs

Is Debian 11 still supported in 2026?

Yes — Debian 11 entered LTS in August 2024 (when regular Security Team support ended) and continues through August 2026 under Freexian's volunteer LTS programme. Paid ELTS coverage extends further. Backports are released for the same source packages the Security Tracker covers.

How do I check Debian 11 CVEs on a running host?

For a quick count: apt list --upgradable 2>/dev/null | grep -ci security. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Debian:11 ecosystem feed.

What's the practical difference between Debian 11 and 12 for CVE coverage?

Same data source (Debian Security Tracker, mirrored through OSV). The difference is the package version set and what's been backported. A CVE fixed upstream in openssl 3.2 gets a separate Bullseye backport into the Bullseye-shipped 1.1.1 series and a Bookworm backport into 3.0. Noxen matches against the right per-release fix version automatically.

Scan a Debian 11 fleet with Noxen

Add your Debian 11 hosts via your existing ~/.ssh/config; Noxen reads dpkg state and matches against the live signed feed. No agent, no SaaS round-trip. $79 one-time.

← back to the CVE dashboard   Debian 12 →   AlmaLinux 9 →